Marc-Andre Lemburg added the comment: On 20.03.2014 23:36, Donald Stufft wrote: > > Donald Stufft added the comment: > > I'm still looking into what "HIGH" entails across all the various OpenSSLs > that are in production that I can access. That "FUD" was responding to the > attitude that it's not Python's job to do this. Python is exposing a security > sensitive API, it is it's job.
I disagree. Python only provides an interface to OpenSSL, so the OpenSSL system defaults should be used. Maintaining system security is an easier and more scalable approach than trying to properly configure half a dozen sub-systems which happen to use OpenSSL as basis for their SSL configuration. By forcing a specific set of ciphers, we're breaking this approach. By restricting the set of allowed ciphers you can also create the situation that Python in its default configuration cannot talk to certain web servers which use a different set of ciphers than the one you are proposing. We shouldn't do this in Python for the same reason we're not including a predefined set of CA root certificates with the distribution. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue20995> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
